Webhook Signature Validator

Verify HMAC-signed webhook payloads from Stripe, GitHub, Slack, and any service that signs webhooks with a shared secret

  1. Home
  2. /
  3. Webhook Signature Validator

The value of the Stripe-Signature, X-Hub-Signature-256, or similar header

Result

Enter the payload, secret, and signature above, then click Validate Signature

What Is Webhook Signature Validation?

Webhook signature validation is the process of verifying that an incoming webhook request genuinely came from the expected sender and hasn't been tampered with. Services like Stripe, GitHub, Slack, and many others sign their webhook payloads using HMAC (Hash-based Message Authentication Code) with a shared secret known only to the sender and the receiver.

By recomputing the HMAC signature on the received payload and comparing it to the signature included in the webhook headers, you can cryptographically verify the authenticity and integrity of the webhook — before processing it.

How to Use

  1. Select the algorithm or service — Choose HMAC-SHA256, SHA1, SHA512, or a service-specific format (Stripe, GitHub, Slack).
  2. Enter the webhook secret — The shared secret key your webhook provider gave you (e.g., whsec_... for Stripe).
  3. Paste the signature header — The value from the Stripe-Signature, X-Hub-Signature-256, or similar header.
  4. Paste the raw payload — The exact request body received by your webhook endpoint.
  5. Click Validate Signature — The tool computes the expected signature and compares it to the provided one.

Common Webhook Signature Formats

Stripe

Header: Stripe-Signature

Format: t=timestamp,v1=signature,v0=legacy

Algorithm: HMAC-SHA256 with timestamp.payload as the signing string

Uses whsec_ prefix secret

GitHub

Header: x-hub-signature-256

Format: sha256=hex-signature

Algorithm: HMAC-SHA256 of the raw request body

Also supports x-hub-signature (SHA1)

Slack

Header: x-slack-signature

Format: v0=hex-signature

Algorithm: HMAC-SHA256 with v0:timestamp:body

Uses signing secret from Slack app config

Generic HMAC

Header: Custom (e.g. x-webhook-signature)

Format: Typically hex-signature or alg=hex-signature

Supports SHA1, SHA256, SHA512

Simple HMAC of the request body

FAQs

Why is signature validation important?

Without validation, anyone who knows your webhook URL can send fake events to your endpoint, potentially triggering actions like order fulfillment, account changes, or data processing. Signature validation ensures the webhook genuinely came from the service you trust.

What if my signature doesn't match?

Common causes include: incorrect secret key, wrong payload (check for whitespace differences, encoding issues, or URL-encoded bodies), wrong signature format (check for prefix), or using the wrong timestamp with services like Stripe that include timestamps in the signature.

Are my secrets safe using this tool?

Yes. All signature computation happens entirely in your browser using the Web Crypto API. No data is sent to any server. Your secret, payload, and signatures remain private.

What is the difference between SHA1, SHA256, and SHA512?

They are cryptographic hash functions of different strength. SHA256 is recommended for most use cases. SHA1 is considered weak but still used by some legacy services. SHA512 provides a larger hash for higher security requirements.